It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.

as I mentioned before, the problem was that the group mappings are AND conjunctions and so the user always was put into the default group, and you're right, I set the default group to "No Access" (what is right in fact).